Jetpack 2.9.3: Critical Security Update

Jetpack version 2.9.3 contains a critical security update, and you should update your site and any you help manage as soon as possible. You can update through your dashboard, or download Jetpack manually here.

During an internal security audit, we found a bug that allows an attacker to bypass a site’s access controls and publish posts. This vulnerability could be combined with other attacks to escalate access. This bug has existed since Jetpack 1.9, released in October 2012.

Fortunately, we have no evidence of this being used in the wild. However, now that this update is public, it’s just a matter of time before exploits occur. To avoid a breach, you should update your site as soon as possible. (The vulnerability has been disclosed on the MITRE Common Vulnerabilities and Exposures system as CVE-2014-0173.)

This is a bad bug, and Jetpack is one of the most widely used plugins in the WordPress world. We have been working closely with the WordPress security team, which has pushed updates to every version of the plugin since 1.9 through core’s auto-update system. We have also coordinated with a number of hosts and network providers to install network-wide blocks to mitigate the impact of this vulnerability, but the only sure fix is updating the plugin.

Over the next few hours, we will reach out to individuals whose sites are still running an insecure version. Sites that don’t update may be disconnected from the Jetpack service for their own security, and will be able to reconnect as soon as their version of Jetpack is updated.

If you host a large number of Jetpack-powered blogs, please leave your contact information in the comments so we can be in touch in the future. We have prepared and shipped point releases for all eleven vulnerable branches of the Jetpack codebase: 1.9.4, 2.0.6, 2.1.4, 2.2.7, 2.3.7, 2.4.4, 2.5.2, 2.6.3, 2.7.2, 2.8.2, and 2.9.3. If you can force these upgrades for your hosted users, it will prevent their sites from being compromised.

Finding and fixing bugs is a key part of software development. I can’t promise there will never be another issue like this, but I can promise that when a problem is found we will do everything in our power to protect as many people as possible, as quickly as possible. We care deeply about each and every WordPress user.

from the paragraph above there is a very real implication that 2.9.3 is vulnerable as well. This is a souce of confusion … at least for me.

Read it! Think about it ! Tell us what you think!
————————————————————————————————————-
If you host a large number of Jetpack-powered blogs, please leave your contact information in the comments so we can be in touch in the future. We have prepared and shipped point releases for all eleven vulnerable branches of the Jetpack codebase: 1.9.4, 2.0.6, 2.1.4, 2.2.7, 2.3.7, 2.4.4, 2.5.2, 2.6.3, 2.7.2, 2.8.2, and 2.9.3. If you can force these upgrades for your hosted users, it will prevent their sites from being compromised.
——————————————————————————————————-

You can simple do a manual update if you are not sure. I would deactivate and delete the old version, then install the latest version (which includes the update) from the Jectpack site or WordPress.org.

You need to go to Plugins/Installed Plugins. Scroll down to see your Jetpack installation. On the right at the bottom you should see what version you are running. If this is not 2.9.3 (the latest version) then you’ll see a notification below saying, “There is a new version of Jetpack..” and giving a link on the right of that to Update now. Just click on this and you’ll be updated to 2.9.3.
You can’t update from the Jetpack link at the top of the dashboard where you set up your modules, which is probably causing the confusion. You have to update from Plugins/Installed Plugins/Jetpack.
Hope this helps.

Hi there! What version of Jetpack does WordPress say that you are running? You may have been automatically updated already. You can find more info and step-by-step instructions here. And if you need any help, just let us know!

My site is running Jetpack 2.9.3, however this notice above say ”Jetpack version 2.9.3 contains a critical security update,” Clicking to download the new .zip file says 2.9.3 so what’s the difference between the one already running on the site and this new one? I’m not being prompted to upgrade in my dashboard either. What am I missing?

As a software/web developer myself, and with the recent heartbleed vulnerability causing mass-hysteria, most of us know and understand that security issues can be found in any software at any time.

What I must admire, is the exceptional way in which the Jetpack and WordPress teams have handled this situation. It’s great to see that such dedication goes into the security of a product, and that the end users are kept so well informed!

IMHO, This makes a perfect case-study on handing security vulnerabilities “the right way”.

We passed on the level of customer care that you give us to our own customers, rolling out the update on both our own WordPress networks (containing a total of 21 sites) and our numerous client’s standalone sites as quickly as physically possible.

I received an email that security vulnerability with the version of Jetpack active on my site. I actually cannot see it anymore on my site, but if I try to upload a new version of Jetpack: 2.9.3,it tells me that it’s already installed. It’s not in my plug in or on my dashboard. Help!

If you have FTP access, you can just overwrite the old plugin with the new that way. Alternately, deleting and reinstalling an up to date version will work, but you may need to enable/disable a few modules if the preferences get affected.

What version of Jetpack does WordPress say that you are running? You may have been automatically updated already. You can find more info and step-by-step instructions here. And if you need any help, send us an email!

What version of WordPress are you on? You may need to update core first, to have the updater run as expected. We’ve just made a change for the older security releases, so you may be able to update them as-is — but we would still strongly encourage you to update core to current.

I’ve removed the 2.0.2 plugins/jetpack and replaced it with 2.0.6. I did not deactivate first, the plugin says it is now 2.0.6, and I was not asked to reconnect with wordpress.com. Am I good for now? Anything missed?

I’m trying to update our WrodPress site, but when the update starts it takes me to Connection Info page and says my credentials are wrong for my FTP (which is correct, I recently changed the password). However, I am unable to make any edits to the password text box on the screen. Is there another place in WordPress I can update Jetpack with my new log in credentials?

I’m really confused. I received emails from Jetpack letting me know to update through the dashboard of my sites that has the plugin on, but when I went, I don’t see an option/prompt for me to upgrade. All of my sites have 2.9.3 version when I checked them. So, from my understanding with the emails/messages, 2.9.3 has a major bug and I have to update (re-update?) it to the same version?

Hey, I got this message when updating the plugin…
“Updating Plugin Jetpack by WordPress.com (2/2)
Downloading update from https://downloads.wordpress.org/plugin/jetpack.2.7.2.zip…
Unpacking the update…
An error occurred while updating Jetpack by WordPress.com: Could not copy file. jetpack/_inc/images/footer-clouds-2x.png”

Hello, Just so I am clear on what you are saying here, Am I correct in thinking that as long as the Jetpack I am running is 2.9.3 that is safe and anything other than 2.9.3 needs to be updated. Should there be an update on the WordPress sites that do not have Jetpack 2.9.3?

If you run an old version of the plugin, you’ll need to update to 2.9.3, or to a patched version of your current Jetpack plugin. We’ve provided links to each point release for all eleven vulnerable branches of Jetpack in the article.

You’ll need to get in touch with the Slim Jetpack plugin authors to make sure.

Another alternative would be to use Jetpack’s development mode instead of this third-party plugin. The dev mode allows you to use Jetpack without connecting your site to a WordPress.com account. You can read more about it here:http://jetpack.me/support/development-mode/

Looking in the folder “…/wp-content/plugins/jetpack/” I’ve found just a few files of those needed (comparing it to the zip file downloaded from here). All the files are dated “10/04/2014 23.44”, but nobody worked on the site last days. In the folder there is the “readme.txt”: opened, it contains referencing to the version 3.9.3 of jetpack.
It seems like someone (who? automatically?) tried to update the jetpack without completing the work.
What’s happened?
How can I see if the jetpack’s options stored in the db were modified?
Can I FTP upload the entire folder “jetpack” (3.9.2 or 3.9.3?) to revive the site?
Do I lost the options doing that?
Thanks

We have been working closely with the WordPress security team, which has pushed updates to every version of the plugin since 1.9 through core’s auto-update system. We have also coordinated with a number of hosts and network providers to install network-wide blocks to mitigate the impact of this vulnerability, but the only sure fix is updating the plugin.

We (the Jetpack team) didn’t actually push the auto-update, we put the update together and worked with some WordPress core developers who selected to auto-update WordPress sites that would accept it.

Hey there I’m having a problem, my jetpack can’t be updated, since its failed to be updated I can’t find anymore my jetpack on the dashboard, when I’m trying the new installation, it was said destination folder already exist, plugin instal failed! Can someone help me?

Could you please contact one of our Happiness Engineers with your current WordPress version, plugin version, and whether you have FTP access handy via jetpack.me/contact-support? They’d be delighted to walk you through it.

This applies only to sites that are running Jetpack. If you were hacked within the past week, but aren’t using Jetpack, then you must have another security hole somewhere else within your infrastructure.

I have a 3.5.1 WordPress. What is the highest version number of JetPack that I can install on my WordPress 3.5.1 ? At the moment I have got JetPack 2.2.7. How high I can go without updating WordPress ?

Well, it completely disappeared from my site when I upgraded. No module on the Jetpack page in my dashboard, no chart at the top of the page when I’m logged in, and when I go to my stats via my bookmark, I get “You do not have sufficient permissions to access this page.” I’m not the only person with this problem, judging by some of the other forums I’ve been commenting on.

Turns out the issue is a conflict with the Subscribe2 widget. When I deactivate that, the Site Stats come back. I’ll have to wait until the Subscribe2 widget author resolves the problem in order to see site stats again.